Passing application context from IdP back to SP

Cantor, Scott cantor.2 at
Tue Nov 27 20:29:36 EST 2012

On 11/27/12 8:18 PM, "Andrei Remenchuk" <andrei144 at> wrote:

>I have managed to make it work by overriding handlerURL in application

That is the only way overrides based on path will ever work. It's the
entire basis of the mechanism. Every application MUST have unique, mapped
endpoints, full stop, no exceptions.

>This works and does what I am trying to achive, however that requires me
>to declare these handlers in SP metadata as separate
>AssertionConsumerService entries, in addition to default consumer service:


>The problem is that we want to provision organizational entries
>dynamically and give all different IdPs single fixed metadata for our
>SP, ideally without any organization-specific details built into it and
>without hard-coding any paths. We don't want to deal with virtual hosts
>either. Is that even possible ?


>Are there any ways to cleanly share single common
>AssertionConsumerService between different applications and preserve
>application context ?

Absolutely not. The main point of using separate applications is to
isolate session context and cookie policy, which means by definition the
handler has to be able to set a cookie that can be read by the resources.

-- Scott

More information about the users mailing list